I deploy my CA cert via GPO into Trusted Root Certification Authorities, which I can see is deployed to my client machines. I know this part is working as Chrome no longer moans when browsing to sites using my signed SSL certs.
However, when I try and git clone or push to any repositories behind an SSL cert signed by this CA, git-for-windows bawlks and says this:
schannel: next InitializeSecurityContext failed: Unknown error
(0x80092012) - The revocation function was unable to check revocation
for the certificate.
As you can see, I've got schannel enabled, but git-for-windows is clearly not reading my CA cert from the Certificate Store in Windows. Any one know how I make gfw read from the Certificate Store in Windows? I can't manually copy this cert onto all my Windows clients, that'd take forever.
Perhaps worth noting I'm using multiple Samba 4 instances as Domain Controllers, but I don't have access to Windows Server tools such as AS Certificate Services.
nb. I know I can disable tls verification, but that surely defeats the purpose.
Related
I have a 3rd party development tool that was written in Golang. My company uses Netskope which injects self-signed certificates in any SSL traffic from my machine so they can monitor all traffic for security purposes. The application is failing with the error
"self signed certificate in certificate chain" when it tries to connect out to a site on the public internet, I assume because of these self-signed certificates in the chain
I found some comments that say the logic for certification verification on Windows can be found in https://go.dev/src/crypto/x509/root_windows.go, but I cannot find any documentation for Windows about this (only Linux). From looking at that code, my understanding is I need to have the CA certification set up in the local machine store as a Trusted Root CA but that isn't working for me. The screenshot here shows the CA certificates in my Local Machine trusted root CA store. I deploy to Linux containers, in JVM or other applications to allow them to trust these self-signed certificates.
Am I doing something wrong in setting up the CA certs in my Certificate Store? Is there any documentation on this? Is there another way I can configure on Windows any Golang application running on my machine to trust the CA for these self-signed certificates? I see on Linux you can similarly add the CA to your store, or use environment variables SSL_CERT_FILE and SSL_CERT_DIR, and I've been able to do this for other Golang applications in Linux containers.
I'm fairly new to the whole certificate shebang and not a versed Linux admin.
In our company, we run a Windows domain, but we also have some CentOS servers for different services.
On one of said servers we have our ticket system, which is browser based. I want to certify it with a certificate, signed by our Windows root CA, but no matter what I do, the certificate is shown as invalid in the browser.
Funny enough, both certificates in the chain (CA -> server) are shown as valid.
I already did the following:
start certificate process from scratch
tried different certificate formats (.cer, .pem)
verified server cert with root cert
checked validity with openssl (OK)
checked SSL connection with openssl, no issues
added root cert to Linux server trusted CA store
recreated cert chain (of 2)
restarted Apache over and over
reset browser cache
tried different browser
checked DNS entries
checked, if root CA is trusted in Windows (it is)
manually installed server cert in my browser
Both the server cert and the root cert show up as valid in the browser, with the correct relation.
I'm completely lost here. Is there some key step I forgot and not one of the ~30 guides I read forgot to mention?
Any help is greatly appreciated
Your question is missing some information:
Did you check the SSL connection from outside the server?
Did you verify the RootCA cert is inside the cert-store of the server (sometimes it is rejected without error messages)?
I would check the reason for rejecting the certificate in the browser (FireFox is usually more informative than Chrome), and look for the error-code.
Reasons can be (some of which you have already verified):
Wrong certificate properties (missing the required values in the "usage" attribute)
Wrong domain name
Expired certificate
Certificate could not be verified on the client-side
See this image as an example of an error code:
https://user-images.githubusercontent.com/165314/71407838-14f55a00-2634-11ea-8a30-c119d2eb1eb1.png
I want to have a certificate that has a different CA cert for it.
Reason? - For self signed certs, most browsers handle this as a invalid certificate. I know I can ignore those warnings but I just don't want to get them in the first place.
I tried googling how to create such a certificate but found so many sites where only a self signed certificate is created.
Therefore, how can such a certificate + CA certificate be generated and is there a better synonym for such a certificate pair?
If you need certificate signed by trusted CA there are two options:
You can get free letstencrypt certificate.
This certificate will work everywhere, not only your testing machine.
To get such certificate you need to own (e.g. buy) some domain, so you can pass certbot ownership challenge.
If you need to test local server, you can get certificate for subdomain (e.g. local-test.example.com is subdomain of example.com) and map that subdomain to 127.0.0.1 in /etc/hosts.
For purpose of local testing, certificate signed by self-signed CA can be sufficient.
Google Chrome and most other applications will accepts such certificate after you install/trust your self-signed CA (some applications may require restart).
There are some convenient tools written in go and js.
I am working in Ec2 instance. I have connected my php files like http://13.57.220.172/phpinsert.php. But it is not secured site. So i want to convert http into https://13.57.220.172.
I have cloudflare ssl. When i try to add ssl certificate. It shows
com.amazonaws.pki.acm.exceptions.external.ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain. Choose Previous button below and fix it.
i have enclose the image with it.
So how can i get the self signed certificate. is there any online tool available.
I think the error message your seeing has to do with this sentence:
If your certificate is signed by a CA, you must include the
certificate chain when you import your certificate.
from https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html.
Since it sounds like you're not yet in "production" mode, I'm guessing you're not particularly attached to your existing certificate, but just want a certificate to be able to do HTTPS on your web server (and don't really care if it's self-signed).
If you want to use AWS Certificate Manager, I think it would be easier to just let them (AWS) issue you a certificate instead of trying to import one from somewhere else. AWS doesn't charge anything for certificates. https://docs.aws.amazon.com/acm/latest/userguide/acm-billing.html
Even if you get the certificate setup in AWS Certificate Manager, that's not going to be installed directly on your EC2 instance, but rather (most likely) on a load balancer in front of your web server, which will add a little complexity to your setup. https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
If all you want to do is use HTTPS on your web server, Let's Encrypt (also free) is probably a simpler option. If you are using AWS Linux 2, there are instructions for getting a certificate here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
Well, add to the points which #jefftrotman has already mentioned.
If your expectation is to just secure your IP address using HTTPS you can achieve that using the below approaches:
A SELF SIGNED certificate that you can create using OpenSSL.
You can also get an SSL certificate from a trust signing authority like (GoDaddy or VeriSign) or Let's encrypt.
The only requirement in the second point is that for getting a certificate from a valid signing authority you need to have a domain name like "myphpapp.com" and then use this domain to get the SSL certificate.
The below details are in case you want to use AWS ACM(Amazon Certificate Manager)
If you prefer ACM, you can get the free Public SSL certificate which you can map to the IP address and your web application will be secured.
If your requirement is to add SSL certificates (like PEM files) to a web server like
NGINX or Apache then you first need to create a Private CA using in ACM and then you using this CA you will be able to create Private SSL certificates. After creating those you can export the files and add those files to the configuration file. (try to use Amazon Linux 2) ec2 image for ease.
Full disclosure, I asked this question over at Ask Different (https://apple.stackexchange.com/questions/96776/always-get-a-security-error-for-internal-https-website) but didn't get much helpful feedback. I'm hoping this question fits better here.
My company recently changed an internal site to use HTTPS instead of HTTP (it is our Jira site in case that matters). From what I can tell, this site is using an internal certificate. On our work computers this certificate appears to be pre installed so the website comes up without trouble in IE, Firefox, and Chrome. However, my personal computer is a Mac (OS X 10.8.4) and I am having major troubles accessing the site through any browser. I have followed instructions to install the certificate in my Keychain and I believe I have successfully done that, but I am still not able to access the site.
When Accessing the site I Get:
Chrome: Invalid Server Certificate You attempted to reach jira.surescripts.local, but the server presented an invalid certificate.
Safari: Safari can't open the page Safari can't open the page "https://jira.local:8081/" because Safari can't establish a secure connection to the server "jira.local"
In Chrome when I view the certificate information it I see: Intermediate certificate authority. Expires: Thursday, May 21, 2015 1:19:28 PM Central Daylight Time. This certificate is valid
To make sure that it wasn't something strange with our company's VPN, I installed a Windows 7 virtual machine on my Mac and installed the certificate in Windows and am able to successfully log on to the site how I always would.
I am not much of an expert with certificates and I really don't know where to go from here. Any help would be greatly appreciated! Thanks.
It almost sounds like you need to trust a self-signed certificate? Perhaps follow: https://confluence.atlassian.com/display/SOURCETREEKB/Resolving+SSL+Self-Signed+Certificate+Errors
Sefl signed certificate always triger warnings in web browsers.
To validate a server certificate you must have in the client browser the CA certificate wich was used to sign the SSL server certificate.
Your company should create a CA cert, then create a server SSL cert. signed with the CA and put it on the web server. The clients install public part of the CA cert in "Trusted CA" certificate store. When client conect to the web server the server sent the signed SSL certificate, the client check if it is a "trusted" cert (was signed by a trusted CA) and if everithing is Ok the client doesn't show the warning.
You ended with this cert chain:
CA cert->SSL cert
CA cert public part is installed in client broser as trusted CA. SSL is put in the web server. Client validate SSL cert agaist its Trusted CA certs installed in its Certificate Stores.
It is like CyberTrus CA. You can see how you have Baltimore Cyber Trust Root and Cybertrust Public SureServer SB CA installed in your computer and when you enter into https://www.bancosantander.es/cssa/Satellite?pagename=SantanderComercial/Page/SAN_Index you can see that *.bancosantander.es certificate is valid because you are trusting in the chain.
Your company needs to create the root, then create the SSL signed by the root. The root (public part) is distributed to the client for install. The server sends the SSL to client in HTTPS protocol.
Check this link for more info.
The problem is probably the encryption protocols that your Mac and the company web site don't match up.
Safari Browsers for OS X before Safari 7 (up to 6.0.7 which was on OS X 10.8.4) use the SSL 3.0 protocol, which has vulnerabilities and is considered insecure. Most newer and well-designed web sites use TLS 1.1 and/or TLS 1.2.
Browser encryption capabilities for Safari 6.0.4
Find out from your company if that is what is set up. The same site that has the specs I linked to allow you to enter a web site, and they'll throw a battery of test transactions at it to test it's security and what will connect, but I doubt you can use that for an internal site. Ask your IT folks what encryption protocols they are using.
As a solution, I believe there are versions of Firefox and/or Chrome that can run on 10.8.4 that use TLS 1.2.
List of major browser versions that support TLS 1.2